We do welcome any statements directly from AOL or any network
operations group regarding their plans for Sender ID or CSV. However,
we ask that they respect the fact that this is a discussion list and be
prepared to answer any technical questions that may arise from their
statements.
-andy, MARID co-chair
We remain committed to sender identity technologies.
We intend to begin beta testing SPF on our inbound systems very soon (weeks
from now). SPF is low hanging fruit that will benefit AOL and many other
domains although it will not work for 100% of the mail we receive. But it
will work for >80% of the mail we receive and that is good enough for a
first strike.
We also believe that the best way to secure the 822 FROM address is a
content signing approach which is out of the scope of this working group. We
hope to see a new group formed to tackle the issues in this arena.
DomainKeys, IIM and TEOS are all reasonable technologies in this arena. We
are sure their will be more which is a good thing for a working group :-)
We remain committed to other IP based approaches and see a lot of benefit to
the "newer" CSV idea. AOL already gets >85% of our spam from other ISPs main
outbound MTAs. SPF, SenderID, and Domainkeys will not change that as this
mail also uses the legit domain of that local ISP in the 821/822 headers.
CSV and certain best practice documents (BCPs) shift the responsibility to
the sending organization for the mess they create through their insecure
networks and insecure practices (like lack of SMTP AUTH of any form, lack of
any outbound controls, inability to suspend accounts, insecure web servers,
etc).
-Carl
--
Carl Hutzler
Director, AntiSpam Operations
America Online Mail Operations
cdhutzler(_at_)aol(_dot_)com
703.265.5521 work
703.915.6862 cell